Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to filter Windows Security Event Logs containing machine name as username?

caroline_fortun
Explorer
‎07-02-2014 12:39 PM

Hello everyone,

I´m trying to filter some Windows Security Event Logs that contains the machine name as the username.
To do this I created the props.conf and transforms.conf files as below at the Windows machines where I've installed Splunk Forwarder. (/etc/system/local and /etc/apps/Splunk_TA_Windows/local).

props.conf

[WinEventLog:Security]
TRANSFORMS-null = setnull

transforms.conf

[setnull]
REGEX = (?ms)EventCode=(5145|4634|4624|5140|4625|4648|4661|4662|4672|4771|4611)(.*Security ID:.*\$).*Account.*
DEST_KEY = queue
FORMAT = nullQueue

Is there any errors at my regex? Do I have to do something else?
I already put the files at the indexer too but I am still getting events.

Best Regards,
Caroline Fortunato

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Lowell
Super Champion
‎07-02-2014 12:59 PM

By Splunk forwarder do you mean "Universal Forwarder"? If so, please note that the Universal forward does not handle data parsing, that's handled by the receiving system, like your Splunk Indexer.

If you place this configuration on your indexer and restart it, this filter should take effect for new events as they arrive.

This blog post may also be of interest to you: http://blogs.splunk.com/2014/05/23/controlling-4662-messages-in-the-windows-security-event-log/

Update:

A possible, more efficient regex. (Test with your actual events before using it)

REGEX = (?ms)^[^\r\n]+[\r\n]+LogName=Security[\r\n]+SourceName=[^\r\n]+[\r\n]+EventCode=(5145|4634|4624|5140|4625|4648|4661|4662|4672|4771|4611)[\r\n].*?[\r\n]\s+Security ID:\s+[^\r\n]+\$)[\r\n]

View solution in original post

Reply
Solved! Jump to solution
Solution

Lowell
Super Champion
‎07-02-2014 12:59 PM

By Splunk forwarder do you mean "Universal Forwarder"? If so, please note that the Universal forward does not handle data parsing, that's handled by the receiving system, like your Splunk Indexer.

If you place this configuration on your indexer and restart it, this filter should take effect for new events as they arrive.

This blog post may also be of interest to you: http://blogs.splunk.com/2014/05/23/controlling-4662-messages-in-the-windows-security-event-log/

Update:

A possible, more efficient regex. (Test with your actual events before using it)

REGEX = (?ms)^[^\r\n]+[\r\n]+LogName=Security[\r\n]+SourceName=[^\r\n]+[\r\n]+EventCode=(5145|4634|4624|5140|4625|4648|4661|4662|4672|4771|4611)[\r\n].*?[\r\n]\s+Security ID:\s+[^\r\n]+\$)[\r\n]
Reply
Solved! Jump to solution

caroline_fortun
Explorer
‎07-03-2014 11:24 AM

Hello Lowell,

I discovered the problem. I am using a heavy forwarder between the Windows Machines and the indexer so the parser occurs at the heavy forwarder.
I put the files at the heavy forwarder machine and restarted Splunk and it worked.

Thanks for your help!

Regards,
Carol

Reply
Solved! Jump to solution

Lowell
Super Champion
‎07-02-2014 02:44 PM

Yeah, sorry missed that comment at the end the first time I read through it. I'm looking closer at the regex now. It looks inefficient, but not sure if it's actually wrong. Without a sample event it's difficult to say for sure. Have you tested it using any tools like Regexbuddy, or Kodos? Oh, keep in mind that the blog post is only relevant for the most recent versions of Splunk.

0 Karma
Reply
Solved! Jump to solution

caroline_fortun
Explorer
‎07-02-2014 01:35 PM

I placed the files at the indexer too but it didn´t work. I´ll have a look at the post.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk, and empower your SOC to reach new heights! Duration: 1 hour  Prepare to ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...